openssl – plik konfiguracyjny CA – openssl-ca.cnf

https://stackoverflow.com/questions/21297139/how-do-you-sign-a-certificate-signing-request-with-your-certification-authority/21340898#

Plik konfiguracyjny CA

# nano openssl-ca.cnf

HOME = .
RANDFILE = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

[ CA_default ]

base_dir      = .
certificate   = $base_dir/cacert.pem            # The CA certifcate
private_key   = $base_dir/private/cakey.pem     # The CA private key
new_certs_dir = $base_dir/newcerts              # Location for new certs after signing
database      = $base_dir/index.txt             # Database index file
serial        = $base_dir/serial                # The current serial number
unique_subject = yes                            # Only one cert with the same subject
default_days     = 1095                         # How long to certify for: 3 year
default_crl_days = 30                           # How long before next CRL
default_md = sha256                             # Use public key default MD
preserve = no                                   # Keep passed DN ordering

x509_extensions = ca_extensions # The extensions to add to the cert

email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert

####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only

####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = PL

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Mazowieckie

localityName = Locality Name (eg, city)
localityName_default = Warszawa

organizationName = Organization Name (eg, company)
organizationName_default = H27.pl

organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Dział bezpieczeństwa

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = h27.pl

emailAddress = Email Address
emailAddress_default = cert@h27.pl

####################################################################
[ ca_extensions ]

subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign

Uzupełnić po wygenerowaniu certyfikatu CA – do podpisywania requestów

####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

####################################################################
[ signing_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment